OAB is horribly broken
Hello all, we have an Exchange 2010 server on one domain (lets call it Company.local) in one location, and a second location that is operating on a different domain/forest altogether (City.Company). The two domains have a two way trust set up between them so that user accounts are recognized between them, and communicate via a hardware-based VPN tunnel. To set up City.Company users with mailboxes in Exchange we made linked mailboxes, which has worked fine for the most part. Historically users have had no problems logging in to OWA, and their Outlook 2010 clients worked normally. Yesterday, users began reporting from the secondary site that they were getting password prompts, and regardless of what was tried it just looped the request. If the "Connection Status" of the Outlook client was opened it showed that the request was due to the Offline Address Book (and indeed the prompt would always appear *after* the client would sync all of the mail, so it wasn't as if the client couldn't connect to Exchange at all). Going down that rabbit hole, I ran ProcessMon on the server and found that the w3wp service was trying to use the NT AUTHORITY\IUSR account to access the OAB.xml file found on the Exchange server, and sure enough on the parent GUID folder the IUSR account was set to have its Read permissions denied. Setting this to allow fixed the issue, letting users download the OAB. However, when the Exchange File Distribution Service runs it resets the permissions, so it is only a temporary fix. Any ideas?
April 20th, 2012 12:38pm

Check this site for OAB defaults. http://technet.microsoft.com/en-us/library/gg247612.aspx Also check the DefaultAppPool on your CAS to make sure the Identity the pool is running under is ApplicationPoolIdentity. This is assuming you have not changed OAB into a standalone application with it's own AppPool.
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 2:10pm

I'm showing the DefaultAppPool is running as ApplicationPoolIdentity, and all MSExchange* pools are running as LocalSystem. Additionally, I noticed that I had Anonymous and Basic enabled for OAB in addition to Windows authentication. Disabling Basic had no effect either way, but disabling Anonymous access results in the authentication loop even with the IUSR read access band-aid in place on the "...\ClientAccess\OAB\GUID" folder. This is starting to make some sense; as I recall the IUSR account is only used for anonymous access. What is odd is that users on the Company.local domain have no issues, it is only those coming from the City.Company domain. It's acting like Exchange simply doesn't know who those users are, and even then only for the OAB functionality. Even more odd is that this worked before, and only broke during a patch a couple months ago.
April 23rd, 2012 2:29pm

Hello, Here is the default permission for OAB.XML file. Thanks, Simon
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 9:52pm

Check this article on permissions for linked mailboxes in remote forests: http://technet.microsoft.com/en-us/library/dd298099.aspx#Configure Also, have you verified that your trust is fully functional?
April 24th, 2012 8:28am

Unfortunately, while our permissions for the file are correct, the issue persists. We have verified that there may be some issue with the trust. What we have found is that while the City.Company users can log in to OWA at all times, signifying that the trust is at least partially working, we cannot add City.Company users to folder permissions on a server on the Company.local domain. It sees the users and check name works, but once you try to finalize the setting it gives an error that essentially says it is having difficulty contacting the City.Company domain. Is there anything that comes to mind that would make a domain trust partially work in such a manner?
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2012 9:11am

How is your DNS setup across the two domains? Are you using 2008 servers? It sounds like a problem with the DNS queries between the two domains. Have a look at this : http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/7c2a21c4-4e0f-43c8-8089-3dc6441bb1aa--Mike--
April 30th, 2012 10:36am

Check on your Client Access Servers, if the web.config file under the OAB vdir (typically at C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB), make sure Authenticated Users is listed with read/execute permissions. It's a long shot, but something else to check.
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 12:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics